May 2019 - FreeIPA-users - Fedora mailing-lists

SOA generation algorythm
by Andrey Bondarenko 29 May '19

29 May '19

Hello, Is the SOA generation algorithm for zones documented anywhere or anyone by chance knows what it is? We have cluster of 8 nodes and SOA is different on some IPAs in some zones (with huge amount of changes). But if I make a change I actually see it on different IPA. Also, restarting IPA increases SOA by 1. We wanted to relay on SOA on our DNS consistency check but seems like it's not a working idea, or is it? -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B

2 3

Re: zabbix for monitoring FreeIPA server?
by Alex Corcoles 29 May '19

29 May '19

The output of ipactl looks very similar to systemctl status. Is it doing much more than that? I'm already monitoring systemd failed units so I wonder if it's running checking ipactl. On Wed, Sep 19, 2018 at 1:33 PM Neal Harrington via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org> wrote: > Hi Tony, > > > I'm monitoring using the following userparameter (basically run "ipactl > status" and grep out lines which are known good so only errors are > returned): > > > UserParameter=ipa.status,sudo /usr/sbin/ipactl status 2>&1 | egrep -v > "(INFO\: The ipactl command was successful$|: RUNNING$)" > > > ipactl needs root access so I have a file in /etc/sudoers.d/zabbix with > these lines to allow the zabbix user to sudo the ipactl status command only > without a password: > > > ## Allow zabix to query ipa status > Defaults:zabbix !requiretty > zabbix ALL = (root) NOPASSWD: /usr/sbin/ipactl status > > The final challenge I had was selinux which I had to create a custom rule > for (but most people seem to just disable selinux). > > > Then just create a trigger to alert if the returned value contains any > characters. eg this matches on any char apart from whitespace: > > {Custom Template IPA Server:ipa.status.regexp([^\s],1200)}=1 > > > If anyone else has a better way to do this I'd be interested to hear it. > > > Regards, > > Neal. > > > > > > ------------------------------ > *From:* Tony Brian Albers via FreeIPA-users < > freeipa-users(a)lists.fedorahosted.org> > *Sent:* 24 August 2018 10:50 > *To:* freeipa-users(a)lists.fedorahosted.org > *Cc:* Tony Brian Albers > *Subject:* [Freeipa-users] zabbix for monitoring FreeIPA server? > > Hi guys, > > Anyone got this working? > > And if so, how did you do it? > > I know I can monitor the components separately, but if you know of > anything that can do it easier I'd be happy to know about it. > > /tony > -- > -- > Tony Albers > Systems administrator, IT-development > Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. > Tel: +45 2566 2383 / +45 8946 2316 > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos… > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost… > -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/

3 4

Mapping freeipa's groups over AD
by Lucas Diedrich 28 May '19

28 May '19

Hello guys, i found lots of tutorials helping on how to map AD (Active Directory) users over Freeipa as seen here: https://jamalshahverdiev.wordpress.com/2017/09/09/integration-freeipa-in-ce… and http://prolinuxhub.com/integrate-freeipa-with-windows-2016-active-directory/ My question is, can i make the other way around? I wan't to map the Freeipa Group (Admin) as admin over the Active Directory. Can i? I've already setup an transient two-way trust between both, authentication works nice for freeipa users over AD. I just want to setup admin users for the windows workstations. Thanks.

5 9

Active Directory Integration advise
by Prashant Bapat 27 May '19

27 May '19

Hi All, I’m to setup FreeIPA in my organization to be the central directory for users/group/SSH keys and maybe sudo rules. All the users and groups are already present in Windows Active Directory. So far I’ve tried setting up AD Trust but this does not get the users in AD to login to web UI of FreeIPA. I have looked at Passync as well but as per the docs only users will be synced that too only on a password change and groups won’t be. To give you more details below is my use case. 1. The users and groups are in AD. 2. A user in AD should be able to login to FreeIPA web UI using AD password and manage their SSH keys. 3. Groups on AD should reflect in FreeIPA. Appreciate if anyone can point me in the right direction. Regards. --Prashant

2 4

upgrade freeipa from version 4.1.4 to 4.6.4
by Fritjof Konkas 26 May '19

26 May '19

I have a old version of freeipa server version 4.1.4 running on fedora 22. Is it possible to migrate the data from ditto to version 4.6.4 on another server running centos 7? /Fritjof

2 1

sudo rule does not work for domain user
by Rob Verduijn 24 May '19

24 May '19

Hello, I'm trying to figure out why an ad-domain user cannot use sudo. When I test with ipa hbactest --user=ansible --host ipa01.linux.example.com --service sudo-i It says access granted: True however if I issue the command 'sudo -l -U ansible' on the ipa01 host it says:User ansible(a)windows.example.com is not allowed to run sudo on ipa01 It works for an ipa user using the same sudo rule. id ansible works as well on the ipa01 host uid=1958801104(ansible(a)windows.example.com) gid=1958801104( ansible(a)windows.example.com) groups=1958801104(ansible(a)windows.example.com),1958800512(domain admins(a)windows.example.com),1958800513(domain users(a)windows.example.com) the user ansible can login to the ipa01 host but cannot issue sudo -i. What am I missing ? Rob Verduijn

2 1

zabbix for monitoring FreeIPA server?
by Tony Brian Albers 24 May '19

24 May '19

Hi guys, Anyone got this working? And if so, how did you do it? I know I can monitor the components separately, but if you know of anything that can do it easier I'd be happy to know about it. /tony -- -- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316

3 3

Statues of the HSM support?
by チョーチュアン 24 May '19

24 May '19

Hi all, I just bought a Nitrokey HSM and trying to set it up with the Freeipa; I'm not sure it's quite supported yet. `ipa-server-install` aborted everytime during CA configuration, reported error was "pkihelper : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1056)" I wonder if the FreeIPA has some modifications that actually breaks HSM support? Environment: OS: Fedora-30-Cloud-base freeipa-4.7.90.pre1-4.fc30 opensc-0.19.0-6.fc30 Here's what I've done: ```sudo ipa-server-install -U \ --allow-zone-overlap \ --auto-forwarders \ --no-reverse \ -r DOMAN.TLD \ -a `pass ipa/admin` \ -p `pass ipa/dm` \ --setup-dns \ --ca-subject='CN=CA Subject Name' \ --pki-config-override=/etc/ipa/override.ini``` and in the `/etc/ipa/override.ini`: ```[DEFAULT] ipa_key_algorithm=SHA256withEC ipa_key_size=nistp384 ipa_key_type=ecc ipa_signing_algorithm=SHA256withEC pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so pki_hsm_modulename=nitrohsm pki_token_name=UserPIN (SmartCard-HSM) pki_token_password=648219``` don't mind the password, it's the default and testing only. I have modified the polkit[0] also: ```polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.user == "pkiuser") { return polkit.Result.YES; } }); polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_card" && action.lookup("reader").startsWith("Nitrokey Nitrokey HSM") && subject.user == "pkiuser") { return polkit.Result.YES; } });``` `sudo -u pkiuser` gives the right card info. I have disabled p11-kit-proxy by hand: ``` #cat /etc/crypto-policies/local.d/nss-p11-kit.config #name=p11-kit-proxy #library=p11-kit-proxy.so ``` and added nitrohsm for it (maybe not necessary): ```/etc/crypto-policies/local.d/hsm.config name=nitrohsm library=opensc-pkcs11.so``` after that, I can successfully add the SmartCard-HSM to `/etc/pki/pki-tomcat/alias` without a problem. the original error snippet: ```Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpciwcfccp'] returned non-zero exit status 1: 'pkihelper : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1056)\nconfiguration : ERROR Server failed to restart\npkispawn : ERROR Exception: server failed to restart\n File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 670, in spawn\n raise Exception("server failed to restart")\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed.``` [0]: https://gist.github.com/tiran/af7c21882e1732227455a13c3b8ff380 -- Regards, Quan Zhou F2999657195657205828D56F35F9E5CDBD86324B quanzhou822(a)gmail.com

1 0

Certmonger spawns many processes, causing huge load due to swapping
by Jonathan Vaughn 23 May '19

23 May '19

I previously had tested FreeIPA running on a Raspberry Pi 3B+ and as long as I didn't run the Dogtag server on it performance seemed acceptable for the purpose. These are only being used as local DNS/LDAP/Krb5 replicas, everything also runs on both physical x86_64 and VM x86_64 servers as well in more than one location. However now that I'm trying to set up Pis for actual use (previously had set up a test environment to validate using them) I'm running into major performance issues once certmonger starts. Using a systemd timer to delay start until everything else starts at least lets everything else FreeIPA related start up and work, but once certmonger starts it still hammers the system using tons of memory and causing lots of swapping. Is there any reason for it to spawn so many processes all at once, versus doing them in a more serial fashion? And did something change in FreeIPA/certmonger behavior in the last year that would cause such a performance regression in memory limited scenarios? Previously I just had zram swap and it was fine, now I have to replace that with actual swap on storage. Also, there's currently no certs needing renewal or anything on this system, so why does it even spawn so many processes ? root 1699 1 0 03:55 ? 00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n root 1720 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1721 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1722 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1723 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1724 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1725 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1726 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1727 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit root 1742 1699 0 03:55 ? 00:00:00 /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit root 1759 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1761 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1762 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1763 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1764 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1765 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1767 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1768 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit root 1769 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1770 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1771 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1772 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1773 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1774 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1775 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing root 1776 1699 0 03:57 ? 00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing Eventually these complete and things settle down but it takes a very long time, and without delaying certmonger until after the rest of FreeIPA it can cause various IPA services to take so long that they die and fail to start.

3 4

secure freeipa exposed to internet
by Stepan Vardanyan 23 May '19

23 May '19

Hello, I've proposed to migrate from OpenLDAP to FreeIPA solution in my organization because the former did not met our requirements as we moving to Single Sign On. We migrated to FreeIPA but set it up with internal DNS name. This was dumb decision as we have a lot of external hosts in AWS and other datacenters which we want to join to our FreeIPA for authentication with one credential and utilize policies (HBAC, sudoers) easily and centrally. We found that there is two solutions: - setup tunnels between AWS and datacenters for making our DNS zone and FreeIPA servers available; - redeploy whole FreeIPA with external DNS name and expose FreeIPA servers to Internet. We end up with second option because first one is very complex, but second option make us think about security. What came to mind is: - disable anonymous bind; - prohibit unencrypted traffic and improve communications security by using options: nsslapd-minssf=128, nsslapd-require-secure-binds=on, sslVersionMin=TLS1.1. So, there is several questions: 1) Is there anything else from security perspective that we should care, configure properly (Kerberos DC for example)? 2) We want to share with users only one Web service from specific replica so users will not cause replication conflicts by modifying entries in other replicas. Is it ok if we close web ports (80, 443) only to localhost on other replicas and leave all other ports on all replicas opened to internet (389,636,88,464)? 3) How secure and strong is default SASL/GSSAPI replication mechanism? I've noticed that traffic is encrypted but can be decrypted by using servers kerberos keytab 4) Overall, even with all previous concerns taken into account cared is it proper to open FreeIPA to internet? This is kinda rhetorical question as we see that this is only choice for us but just want to hear some advices, expert vision. P.S. We don't utilize FreeIPA internal DNS service. DNS is configured on external hosts Thanks in advance.

10 18

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2019